September 20, 2022
One Phishing Email, Multiple Evasion Techniques
With organizations using increasingly more security products to protect their email from malicious messages, attachments and links, phishing attempts have had to become more sophisticated. This is an ongoing process in which attackers develop new techniques that help them evade email security solutions to reach their end-user targets.
We have recently come across a phishing email caught by Datto SaaS Defense which utilized multiple evasion techniques, each targeting a different detection mechanism. These techniques, when combined together, allowed it to bypass many email security solutions.
In this blog post, I will take you through the different evasion techniques used in this attack, explain why they help the attack go undetected and suggest how they could be identified.
The attack and its evasion techniques
The email itself lures the user to click a link by informing them that their Office 365 password is about to expire. The user clicks the link in order to update their password and reach this fake Microsoft login webpage:
Take a careful look at this webpage. There are several evasion techniques that make this page look unsuspicious to email security solutions.
The favicon (the icon on the browser tab) is a bit different than the actual Microsoft favicon. The attacker switched the red and the yellow tiles and used white instead of black for the border.
This could cause template matching errors (a method used by security solutions to identify phishing webpages), especially if not using grayscale when comparing. Thus, it helps this attack evade phishing detection engines.
The Microsoft logo used in the fake login webpage is slightly different from the original Microsoft logo. As you can see in the image, the attacker used a similar but not identical font as well as bold letters.
This could cause errors in template matching assuming the Microsoft text is included in the template. Further increasing the chances that this attack will be missed by phishing detection engines.
The page might look like it contains a regular form, but it doesn't use the actual <form> tag in HTML as a legitimate Microsoft website would. The attackers created the 'form' using <div> tags and CSS to look exactly the same, as you can see in the following HTML code.
Many phishing detection engines would scan the HTML looking for a <form> tag in order to investigate the form and reveal credential theft attempts. The fact that the form looks like a legitimate form makes the page unsuspicious to victims. The fact there is no <form> tag in the HTML prevents phishing detection engines from identifying the illegitimate form.
Suspicious text in images
Some phishing detection engines scan the webpage for fields that ask for the user’s password (typically variations of the phrase 'enter password'). They then investigate these fields to check if they are legitimate.
In this phishing webpage, the attackers used images of the text instead of the actual text whenever the word password was written.
This method may allow the attack to bypass email security solutions that scan the webpage for phishing attempts, as the detection engine doesn’t recognize the word ‘password’ and thus doesn’t suspect the page to be used for credential harvesting.
Input field in disguise
Another technique that phishing detection engines may use is scanning the HTML for input fields, indicating that this might be a credential theft attempt. In this case, the attackers hid the input field by creating an empty div with a background image showing the word password. This is another tactic helping this email attack to bypass email security solutions.
The following screenshot shows that the 'Input' field is actually an empty div (with the id of 'spinput'):
Once the user clicks this div, a new div is created with the id of 'inpfield'. This div acts as a text input field to which the user can enter their password.
To make this look real to the user, there is a placeholder with the word ‘password’. To evade detection, the attackers added “$shy” in between the letters of the word ‘password’. This way, detection engines wouldn’t find the word ‘password’. This is a soft hyphen that is invisible in HTML so the user won’t suspect a thing.
Looking carefully, one may notice that the word password in the 'input' field has changed after clicking it from an image to a placeholder. This is how it looks after clicking the fake password field:
What can you do about it?
Phishing is expected to keep evolving and security solutions will have to keep up the pace to prevent phishing attacks from evading their detection engines.
While most email security solutions depend on data from known phishing attempts, Datto SaaS Defense takes a data-independent approach. Datto SaaS Defense detects brand new and unknown phishing threats that other solutions miss by analyzing the composition of a safe email, URL and webpage instead of scanning for known phishing techniques. This is why this particular attack (as well as many others) was stopped by Datto SaaS Defense but bypassed other email security solutions.
If you're interested in learning more register for our webinar.